1. Field of the Invention
The present invention relates to computers and computer networks. More particularly, the invention relates to detecting malicious activities in the computer network.
2. Background of the Related Art
The term “botnet” refers to a collection of malicious software agents (referred to as robots) that run autonomously and automatically. The term “botnet” can also be used to refer to a collection of compromised computers (referred to as bots) each infected with one or more of such malicious software agents. For example, the infection may be a result of installation via drive-by downloads exploiting web browser vulnerabilities, worms, Trojan horses, or backdoors, under a common command-and-control infrastructure. Typically, the owner (i.e., originator, operator, or controller) of a botnet uses the botnet to coordinate spam campaigns, launch denial-of-service attacks, or steal sensitive information. Several botnets have been found and removed from the Internet. The Dutch police found a 1.5 million node botnet and the Norwegian ISP (Internet service provider) Telenor disbanded a 10,000-node botnet. Large coordinated international efforts to shut down botnets have also been initiated. It has been estimated that up to one quarter of all personal computers connected to the internet may be part of a botnet.
A botnet's originator can control the bots remotely, usually through a means such as IRC (Internet Relay Chat), from a command-and-control (C&C) server. Though rare, more experienced botnet operators program their own commanding protocols from scratch. For example, these protocols may include a server program for C&C and a client program for operation that embeds itself on the victim's machine (i.e., bot). Both programs usually communicate with each other over a network using a unique encryption scheme for stealth and protection against detection or intrusion into the botnet network.
Generally, detection of C&C channels is difficult for many reasons, including: 1) the use of HTTP protocols to bypass firewalls, 2) encryption to obscure payloads, and 3) “domain fast-flux,” i.e., constantly changing locations of command-and-control servers. Existing approaches that look for payload signatures can be easily defeated by encryption or obfuscation techniques. Techniques that identify periodic, beaconing traffic have difficulty in real traffic traces due to very high background noise levels and random timing perturbations introduced by new botnets. There are also practical limitations to collecting detailed flow data at high speed routers which can introduce unacceptable overhead on the network.